On Fri, 2005-04-22 at 09:56 +0100, Al Viro wrote:
> > +static int inotify_ignore(struct inotify_device *dev, s32 wd)
> > +{
> > + struct inotify_watch *watch;
> > + struct inode *inode;
> > +
> > + down(&dev->sem);
> > + watch = idr_find(&dev->idr, wd);
> > + if (unlikely(!watch)) {
> > + up(&dev->sem);
> > + return -EINVAL;
> > + }
> > + get_inotify_watch(watch);
> > + up(&dev->sem);
> > +
> > + inode = watch->inode;
> > + down(&inode->inotify_sem);
> > + down(&dev->sem);
> > + remove_watch(watch, dev);
> > + up(&dev->sem);
> > + up(&inode->inotify_sem);
> > + put_inotify_watch(watch);
> > +
> > + return 0;
> > +}
>
> So what happens if
> * something is holding inotify_sem right now
> * ten threads call that on the same watch
> * all of them get to down(&inode->inotify_sem); and block there,
> having acquired ten references to the watch
> * after whatever had been holding ->inotify_sem in the first place
> releases it, they will one by one go through the rest of function. And
> drop _20_ references to the watch. 9 of those - after we kfree() the
> watch...
In create_watch () we call get_inotify_watch (), which maps to the
put_inotify_watch() in remove_watch(). As far as I can tell the ref
counting is 1 for 1.
--
John McCutchan <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
